[arch-general] SELinux packages status update
Hi, I've updated all the SELinux related packages in the AUR. I've changed most packages names to better fit with upstream names and AUR naming policy (selinux-pam -> pam-selinux; selinux-usr-libselinux -> libselinux). I'll keep the old ones a week or two, just in case, then I'll ask for deletion. I've only tested those packages in SELinux _disabled_ mode as currently there aren't any usable policy. I'll be working on this from now on. Status of core packages that requires patches or rebuild: * linux: rebuild. bug opened in the Arch bugtracker; * coreutils: rebuild (links with libselinux); * cronie: rebuild '--with-selinux' flag; * findutils: need SELinux patch, can be upstreamed, but is upstream still alive ? * openssh: rebuild '--with-selinux' flag; * pambase: configuration changes to add pam_selinux.so; * pam: rebuild '--enable-selinux' flag for Linux-PAM, patch for pam_unix2, which only removes a function already implemented in a library elsewhere. Is there an upstream here? I couldn't find one; * psmisc: small patch, already upstream. Will be in version 22.21; * shadow: rebuild '-lselinux' and '--with-selinux' flags; * sudo: rebuild '--with-selinux' flag; * systemd: rebuild '--enable-selinux' flag; * util-linux: rebuild '--with-selinux' flag; Total: 1 rebuild as-is, 8 rebuild with additional flags/config, 3 rebuild with patches required (with one already upstream and two potentially dead upstream). I think this looks good! Suggestions for packages are welcomed as AUR comments or issues on GitHub: https://github.com/Siosm/siosm-selinux A repository with signed packages for x86-64 only is available at http://repo.siosm.fr/siosm-selinux/ (See https://tim.siosm.fr/repositories/ if you need instructions or GPG public key). I'll also update the Arch Wiki SELinux page soon. I'll setup an other repository for the SELinux policy as soon as I have something which can boot in enforcing mode. Cheers, Tim
On Sun, Nov 3, 2013 at 9:32 PM, Timothée Ravier <siosm99@gmail.com> wrote:
* pam: rebuild '--enable-selinux' flag for Linux-PAM, patch for pam_unix2, which only removes a function already implemented in a library elsewhere. Is there an upstream here? I couldn't find one;
In pam source tarball I've found AUTHORS file: Original authors and current maintainers of Linux-PAM: Andrew G. Morgan <morgan@kernel.org> Dmitry V. Levin <ldv@altlinux.org> Thorsten Kukuk <kukuk@thkukuk.de> Sebastien Tricaud <toady@gscore.org> Tomas Mraz <t8m@centrum.cz> Thorsten Kukuk seems to be maintainer. Cheers, Szymon Szydełko
Hi, Am 03.11.2013 21:32, schrieb Timothée Ravier:
I've updated all the SELinux related packages in the AUR.
Looks great. As soon as I have some spare time I will give it a try.
I'll setup an other repository for the SELinux policy as soon as I have something which can boot in enforcing mode.
What is your current approach to come up with a reasonable policy? In what fashion do you plan to split up the policies itself? Will your policies be based upon the reference ones (see [1])? [1]: http://oss.tresys.com/projects/refpolicy/ Best regards, Karol Babioch
Hi, On 03/11/2013 23:50, Karol Babioch wrote:
Looks great. As soon as I have some spare time I will give it a try.
Thanks! If you're building by hand, have a look at the quick README here: https://github.com/Siosm/siosm-selinux/blob/master/README.md
I'll setup an other repository for the SELinux policy as soon as I have something which can boot in enforcing mode.
What is your current approach to come up with a reasonable policy? In what fashion do you plan to split up the policies itself? Will your policies be based upon the reference ones (see [1])?
As far as I know, the Fedora SELinux policy is quite comprehensive and includes most of the software used in Arch Linux. If I'm not mistaken, it is based on the reference policy made by Tresys. However, I'm not planning on supporting non-MLS/MCS systems and I will probably only make one policy with support for all the SELinux features (including MLS/MCS). According to me, this will avoid the current status with the three Fedora policies. This is a personal opinion: it feels like the only one "working" is the default one (targeted) and the two others (minimal and mls) receive minimal testing and are thus mostly useless... I don't think we need to maintain several policy versions and I don't want to waste time supporting policies I won't use. The battle plan is: * strip modules from the Fedora policy to the minimum required to boot a minimal installation; * fix those modules; it's probably mostly going to be about paths, as Fedora uses libexec which we don't have, and has not yet merged /usr/sbin with /usr/bin; * add stripped modules back progressively. Cheers, Tim
From the website: http://www.freedesktop.org/wiki/Software/systemd/TipsAndTricks/
It suggests to run to see what would execute on boot: # systemd --test --system --unit=multi-user.target If I run this a root, I get command not found. So it is not in $PATH. If I run as root I get don't run as root: # /usr/lib/systemd/systemd --test --system --unit=multi-user.target Don't run test mode as root. If I run as user, I get a bunch of errors: $ /usr/lib/systemd/systemd --test --system --unit=multi-user.target systemd 208 running in system mode. (+PAM -LIBWRAP -AUDIT -SELINUX -IMA -SYSVINIT +LIBCRYPTSETUP +GCRYPT +ACL +XZ) Failed to set hostname to <arch-t3400>: Operation not permitted Failed to open /dev/tty0: Permission denied Failed to create root cgroup hierarchy: Permission denied Failed to allocate manager object: Permission denied Is there a way to use this command properly? Wayne
2013/11/3 Timothée Ravier <siosm99@gmail.com>
Hi,
I've updated all the SELinux related packages in the AUR. I've changed most packages names to better fit with upstream names and AUR naming policy (selinux-pam -> pam-selinux; selinux-usr-libselinux -> libselinux). I'll keep the old ones a week or two, just in case, then I'll ask for deletion.
I've only tested those packages in SELinux _disabled_ mode as currently there aren't any usable policy. I'll be working on this from now on.
Status of core packages that requires patches or rebuild:
* linux: rebuild. bug opened in the Arch bugtracker; * coreutils: rebuild (links with libselinux); * cronie: rebuild '--with-selinux' flag; * findutils: need SELinux patch, can be upstreamed, but is upstream still alive ? * openssh: rebuild '--with-selinux' flag; * pambase: configuration changes to add pam_selinux.so; * pam: rebuild '--enable-selinux' flag for Linux-PAM, patch for pam_unix2, which only removes a function already implemented in a library elsewhere. Is there an upstream here? I couldn't find one; * psmisc: small patch, already upstream. Will be in version 22.21; * shadow: rebuild '-lselinux' and '--with-selinux' flags; * sudo: rebuild '--with-selinux' flag; * systemd: rebuild '--enable-selinux' flag; * util-linux: rebuild '--with-selinux' flag;
Total:
1 rebuild as-is, 8 rebuild with additional flags/config, 3 rebuild with patches required (with one already upstream and two potentially dead upstream).
I think this looks good!
Suggestions for packages are welcomed as AUR comments or issues on GitHub: https://github.com/Siosm/siosm-selinux
A repository with signed packages for x86-64 only is available at http://repo.siosm.fr/siosm-selinux/ (See https://tim.siosm.fr/repositories/ if you need instructions or GPG public key).
I'll also update the Arch Wiki SELinux page soon.
I'll setup an other repository for the SELinux policy as soon as I have something which can boot in enforcing mode.
Cheers,
Tim
I have to congratulate you and all devs for the really great work. A big thanks!
On 03/11/2013 21:32, Timothée Ravier wrote:
Status of core packages that requires patches or rebuild:
* findutils: need SELinux patch, can be upstreamed, but is upstream still alive ? * pam: rebuild '--enable-selinux' flag for Linux-PAM, patch for pam_unix2, which only removes a function already implemented in a library elsewhere. Is there an upstream here? I couldn't find one; * psmisc: small patch, already upstream. Will be in version 22.21;
Total:
1 rebuild as-is, 8 rebuild with additional flags/config, 3 rebuild with patches required (with one already upstream and two potentially dead upstream).
Quick update here: * The findutils patch is already upstream and in the latest *development* release (4.5.10). No ETA for the stable release. They need help fixing bugs if someone is interested [0]. * According to Thorsten Kukuk (latest known pam_unix2 developer), pam_unix2 is no longer under development and we should use Linux-PAM, which we are using already. Is there a reason pam_unix2 is still in the repository? So the only patch not already upstream is the one with a dead upstream. Now let's go back to work on the policy... [0] https://savannah.gnu.org/bugs/?group=findutils Tim
participants (5)
-
Eduardo Machado
-
Karol Babioch
-
Szymon Szydełko
-
Timothée Ravier
-
Wayne S